A line of nearly a thousand people snaked outside Tencent's Shenzhen headquarters on March 6. They carried laptops and hard drives. They waited for hours while company engineers installed OpenClaw, the open-source AI agent that had gripped China's tech world for weeks, free of charge.

Five days later, Beijing told state-run banks, government agencies, and military families to uninstall it.

In between those two events, Tencent shipped WorkBuddy. Zhipu AI launched AutoClaw. Xiaomi released Miclaw. Baidu rolled out one-click cloud deployment. Moonshot pushed Kimi Claw. The ban and the domestic replacements arrived in the same news cycle, and that timing tells you more about Beijing's AI strategy than any white paper ever will.

The Breakdown


The lobster everyone wanted to raise

OpenClaw hit 250,000 GitHub stars faster than any open-source project in history, outrunning even Linux. Created by Austrian developer Peter Steinberger and launched last November, the tool acts as an autonomous digital worker. It clears your inbox, books dinner reservations, checks in for flights. Even drafts reports. ChatGPT and Claude live on corporate servers. OpenClaw runs on your machine, with full access to your files and apps. Send it a WhatsApp message, and it gets to work. It works while you sleep.

Token consumption on low-cost Chinese models surged six-fold as users kept their agents running around the clock. On OpenRouter, the API marketplace that routes requests to hundreds of LLMs, Chinese models overtook American ones in usage volume for the first time in late February. E-commerce platforms listed door-to-door OpenClaw installation for 499 yuan, roughly $72. A cottage industry of freelance installers popped up on WeChat, charging ten times that for "premium" setup with custom configurations. Social media overflowed with tutorials on how to "raise a lobster," the affectionate nickname drawn from OpenClaw's crustacean logo.

Local governments piled on. Shenzhen's Longgang district, home to China's first AI and robotics bureau, drafted measures to build an "OpenClaw-centred AI ecosystem" and support so-called one-person companies. Wuxi's high-tech district offered subsidies up to 5 million yuan ($690,000) for manufacturing applications built on the platform. Everyone wanted a lobster.

Then the security warnings landed. CNCERT, China's national cybersecurity coordination center, published two official alerts within three days. Researchers found more than 40,000 OpenClaw instances exposed on the public internet, over 60% carrying vulnerabilities severe enough to hand attackers full control. One flaw, dubbed ClawJacked, let any malicious website hijack an OpenClaw session silently. No clicks required. Prompt injection, credential leakage, accidental file deletion. The problems were real.

And very convenient.

Beijing has run this play before

The sequence is textbook if you've watched Chinese tech policy across the past two decades. A foreign product proves massive domestic demand. Regulators surface sovereignty and security concerns. Domestic alternatives materialize. The foreign product gets walled off. The domestic clones absorb the market.

Google. Facebook. Twitter. Each of those cycles took years to play out. OpenClaw's took weeks.

Open source made the acceleration possible. Pushing out Google in 2010 forced Baidu to build a search engine from scratch. Squeezing WhatsApp worked only because Tencent had already spent years on WeChat. Those were slow, expensive bets that required genuine engineering from scratch. OpenClaw's entire codebase sits on GitHub for anyone to fork. Chinese companies didn't need to replicate the technology. They grabbed the code, swapped in domestic large language models, rerouted data processing to Chinese servers, and wrapped the result in a consumer-friendly installer.


Zhipu's AutoClaw plugs directly into ByteDance's Feishu workplace app. Tencent's WorkBuddy deploys from a phone in one minute. Xiaomi's Miclaw runs natively on smartphones and home appliances. Each version replaces OpenClaw's inference engine with a Chinese LLM, which means all computation stays on domestic infrastructure. The agentic capability remains. The foreign data pipeline vanishes.

MiniMax, which launched its own derivative called MaxClaw in late February, has watched its stock climb 640% since its IPO two months ago. It's now worth $49 billion. More than Baidu, which until recently was supposed to be leading China's AI charge. The rally tells you where the money sits. Beijing's preferred outcome is already priced in.

The security fears are genuine. The policy response is theater.

Give Beijing credit for one thing. The security problems are real. Agent platforms requesting broad system permissions create attack surfaces that barely existed a year ago. One researcher called the combination of private data access, external communication capability, and exposure to untrusted content a "lethal trifecta." The OpenClaw team patched more than 40 security flaws in February alone. Earlier this year, the Moltbook platform for AI agents left 32,000 API keys in a publicly accessible database. Agent security across the industry is genuinely fragile.

But watch where the ban actually lands. Central government agencies, state-owned banks, some military families. Internal memos circulated through WeChat groups at state-owned banks told employees to check their devices and report any OpenClaw installations to supervisors. Staff at certain institutions can't install it even on personal phones connected to corporate networks. That reads as legitimate data protection for sensitive entities. Reasonable, even.

Now look at what the same government does in parallel. Shenzhen publishes draft measures to build a local AI agent industry around OpenClaw. Wuxi dangles million-yuan subsidies. Premier Li Qiang's annual work report calls for "large-scale commercial application" of AI agents, the first time agentic AI has appeared in the government's official planning documents. Beijing's own "AI plus" action plan, the national framework local governments cite when handing out those subsidies, stays in full force.

Central ban on the foreign tool. Local subsidies for its domestic clones. Same week. Same underlying technology. A government genuinely anxious about security would issue a unified response. This is a pincer movement: restrict the original where it touches state data, accelerate replacements everywhere else. China's surveillance apparatus grew from exactly this kind of coordinated split between central directives and local execution. The authorities in Beijing are not defensive about this contradiction. They're emboldened by it.

What this means if you build agent platforms

OpenClaw just proved that an open-source agent platform can be nationally forked in weeks, not years. Every country watching took notes. Any government with data sovereignty ambitions now knows it can grab the code, replace the model layer, and deploy a domestic version before the original developer finishes writing a blog post about adoption milestones. The agentic AI market is bifurcating along the same geopolitical fault lines that already split cloud computing and social media.

OpenClaw takes the most immediate hit, and it's financial. Chinese users burning tokens on domestic models instead of routing through OpenRouter shifts revenue away from the project's broader ecosystem. Steinberger joined OpenAI last month and left OpenClaw under a foundation structure. The community will persist. But the commercial opportunity in the world's most enthusiastic AI-adopting market just got rerouted to Tencent, Baidu, and Zhipu.

For enterprise security teams everywhere, the lesson is blunt. Agentic AI with broad system permissions is a risk category that traditional endpoint protection was never designed for. When your AI assistant reads files, sends messages, and executes commands on its own, a single prompt injection cascades through systems in ways a compromised browser tab never could. That's true whether you sit in Shanghai or San Francisco.

Beijing got something more valuable than any single product ban. A template. "Embodied AI" is a target industry through 2030. Every future agent platform that gains traction in China will face the same sequence: let foreign tools validate demand, trigger a security review, replace with domestic forks. The lobster trap works. Expect it to be reused.

Frequently Asked Questions

What is OpenClaw and why is China obsessed with it?

OpenClaw is an open-source AI agent created by Austrian developer Peter Steinberger. It runs locally on your computer, managing email, booking restaurants, and drafting reports autonomously. It hit 250,000 GitHub stars faster than any open-source project in history. In China, users call it "raising a lobster" after its crustacean logo, and adoption surged so fast that e-commerce platforms began offering door-to-door installation services for 499 yuan.

Which Chinese companies built OpenClaw alternatives?

At least five major companies shipped clones within weeks. Tencent launched WorkBuddy, Zhipu AI released AutoClaw with Feishu integration, Xiaomi built Miclaw for smartphones, Baidu offered one-click cloud deployment, and Moonshot AI rolled out Kimi Claw. Each swaps OpenClaw's inference engine with a Chinese large language model, keeping all data processing on domestic servers.

What security vulnerabilities did researchers find in OpenClaw?

Researchers discovered more than 40,000 OpenClaw instances exposed on the public internet, with over 60% carrying exploitable vulnerabilities. The most alarming flaw, dubbed ClawJacked, allowed any malicious website to hijack an OpenClaw session without user interaction. CNCERT issued two official warnings within three days citing prompt injection and credential leakage risks.

How does this compare to China's past treatment of foreign tech platforms?

Beijing used the same playbook with Google, Facebook, and Twitter: let the foreign product prove demand, raise sovereignty concerns, then replace it with domestic alternatives. The key difference is speed. Those earlier cycles took years. OpenClaw's open-source codebase let Chinese companies fork the code, swap in domestic LLMs, and ship working products within weeks.

What is Beijing's AI plus action plan and how does it relate to the ban?

The AI plus action plan promotes embedding AI throughout China's economy. Local governments cite it when offering subsidies for OpenClaw projects. The contradiction is deliberate: central authorities ban the foreign tool from sensitive institutions while local governments fund domestic versions of the same technology. Premier Li Qiang's 2026 work report called for large-scale commercial application of AI agents.

Anthropic Lost the Pentagon Contract. It Won the Argument. Then Offered to Keep the Lights On.
On Thursday afternoon, the Department of Defense formally notified Anthropic that the company and its products "are deemed a supply chain risk, effective immediately." The label has historically been
The Implicator
OpenAI Signed the Pentagon Deal. Anthropic Wrote It.
Friday night, Sam Altman posted a statement so carefully calibrated it read like a legal brief disguised as a social media post. OpenAI had reached an agreement with the Department of War. Its models
The Implicator
OpenAI's Pentagon Deal Claims the Same Red Lines That Got Anthropic Blacklisted
Sam Altman announced Friday night that OpenAI reached an agreement with the Pentagon to deploy its AI models on classified military networks, claiming the deal preserves the same safety red lines that
The Implicator
AI News

New Delhi

Freelance correspondent reporting on the India-U.S.-Europe AI corridor and how AI models, capital, and policy decisions move across borders. Covers enterprise adoption, supply chains, and AI infrastructure deployment. Based in New Delhi.